What is a reportable incident under the NDIS?

A reportable incident is a defined category of serious event that a registered NDIS provider must notify the NDIS Commission about. Categories include the death or serious injury of a participant, abuse or neglect, unlawful physical or sexual contact, and the unauthorised use of a restrictive practice. These are set out in the NDIS (Incident Management and Reportable Incidents) Rules 2018.

How quickly does a new NDIS provider need to report a reportable incident to the Commission?

Under the NDIS Rules, providers must generally notify the NDIS Commission within 24 hours of becoming aware of a reportable incident, and submit a full written report within five days. Always check the current NDIS Commission guidance, as timeframes may be updated.

Does every NDIS provider need an incident management policy, or only SIL providers?

Every registered NDIS provider must have an incident management system in place — this is a requirement of the NDIS Practice Standards that applies across all registration groups. SIL providers and those delivering complex or high-intensity supports face particularly close scrutiny, but no registered provider is exempt.

What happens if a provider fails to report a reportable incident to the NDIS Commission?

Failure to report a reportable incident is a serious compliance breach. The NDIS Commission can take compliance action, which may include banning orders, conditions on registration, or referral to relevant law enforcement or safeguarding agencies. Persistent non-compliance can result in suspension or cancellation of registration.

How often should an NDIS incident management policy be reviewed?

NDIS Practice Standards require providers to review their quality management systems, including incident management policies, on a regular basis. Industry practice and auditor expectations are typically at least once per year, or following a significant incident, a change in service type, or updates to the NDIS Rules.

Can staff report incidents anonymously under the NDIS framework?

The NDIS framework does not prescribe anonymous reporting as a requirement, but providers are required to maintain a culture where workers feel safe to report incidents without fear of retaliation. Your policy should include explicit protections for workers who report in good faith, and may optionally allow anonymous reporting through an internal channel.

NDIS Incident Management Policy Checklist for New Providers

Why Every New NDIS Provider Needs a Compliant Incident Management Policy

If you are registering as an NDIS provider — particularly for Supported Independent Living (SIL) or any high-intensity or complex support — an incident management policy is not optional. It is a mandatory requirement under the NDIS (Incident Management and Reportable Incidents) Rules 2018 and the NDIS Practice Standards. From the moment you are registered, the NDIS Commission expects you to have a documented, implemented, and reviewed policy in place.

For new providers, this is one of the most common areas where auditors find non-conformances. A vague policy, a template that has not been adapted to your service context, or a policy that exists on paper but is not understood by staff — all of these can result in a finding against you. The 2026 strengthened Practice Standards have placed even greater emphasis on continuous improvement, worker screening, and governance, making robust incident management frameworks more critical than ever.

Use the checklist below to build or audit your policy before your initial registration audit.

NDIS Incident Management Policy Checklist

1. Policy Foundations

The policy is titled, version-controlled, and has a clearly stated review date (at minimum annual review).
The policy references the NDIS (Incident Management and Reportable Incidents) Rules 2018 and the applicable Practice Standards.
The policy states its purpose: to protect participants, support open disclosure, and meet the provider's obligations to the NDIS Commission.
The policy applies to all workers, contractors, and volunteers who deliver supports on the provider's behalf.
The policy is written in plain language and has been made accessible to participants and their supporters.

2. Definition of Incidents and Reportable Incidents

The policy clearly defines what constitutes an "incident" in your service context (e.g., falls, medication errors, property damage, verbal altercations, participant distress).
The policy specifically defines "reportable incidents" as set out in the NDIS Rules, including:
- Death of a participant
- Serious injury of a participant
- Abuse or neglect of a participant
- Unlawful sexual or physical contact, or assault
- Use of a restrictive practice not in a participant's behaviour support plan
- Unauthorised use of a restrictive practice
The distinction between internal incidents and reportable incidents is explained clearly for all staff.

3. Immediate Response Procedures

The policy outlines the immediate steps a worker must take when an incident occurs (e.g., ensure participant safety, call emergency services if required, notify their supervisor).
Responsibilities for first response are assigned by role, not left ambiguous.
The policy includes guidance on preserving evidence and avoiding interference with a potential investigation scene where relevant.
Participant and family/guardian notification obligations are described, including the timeframe for notification.

4. Internal Reporting Timeframes and Process

Workers are required to report all incidents to a designated person (e.g., team leader or compliance officer) as soon as practicable — and the policy states this expectation clearly.
An incident report form or system is identified and described; staff know how to access it.
The internal escalation pathway is documented (worker → supervisor → compliance/management → CEO or governance body if required).
The policy specifies who is responsible for completing the formal incident record and within what timeframe.

5. Mandatory Reporting to the NDIS Commission

The policy identifies the person(s) responsible for notifying the NDIS Commission of reportable incidents.
Initial notification timeframes are stated in the policy. Under the NDIS Rules, most reportable incidents require an initial notification within 24 hours of the provider becoming aware, with a full report due within five days. (Always check the current Rules for any updates, as timeframes can be amended.)
The policy explains how to submit reports via the NDIS Commission Portal.
The policy outlines the requirement to provide a full written report following the initial notification, including any actions taken in response.
The policy addresses the obligation to cooperate with any NDIS Commission investigation or compliance inquiry that may follow a report.

6. Participant Rights and Open Disclosure

The policy affirms the participant's right to be informed about incidents that affect them or occur in their home or day-to-day life.
Open disclosure principles are embedded: participants are told what happened, what the provider is doing about it, and who they can contact for further information.
The policy acknowledges the participant's right to make a complaint about how an incident was handled, and directs them to the provider's complaints process and the NDIS Commission.
Provisions are in place for participants with communication support needs to receive information in an accessible format.

7. Investigation and Review

The policy describes how the provider will investigate reportable incidents, including who conducts the review, the expected timeframe, and how findings are documented.
The policy requires that investigations be conducted impartially and that any worker subject to allegations is appropriately stood down or managed during the process.
Root cause analysis or a structured review process is referenced for serious incidents.
Investigation outcomes and corrective actions are recorded and tracked.

8. Corrective Actions and Continuous Improvement

The policy requires that identified systemic issues are addressed through documented corrective action plans.
Corrective actions are assigned to specific responsible persons with target completion dates.
The provider's leadership or governance body reviews incident trends at a defined regular interval (e.g., monthly or quarterly).
Incidents and near-misses are used as learning opportunities; the policy references how learnings are shared with the workforce.
The incident management system itself is reviewed at least annually, or following a significant incident.

9. Restrictive Practices

If your registration includes behaviour support or any regulated restrictive practices, the policy explicitly addresses the obligation to report any unauthorised use of a restrictive practice as a reportable incident.
The policy cross-references your behaviour support policy and any relevant participant behaviour support plans.
Staff are trained on what constitutes an unauthorised restrictive practice and their obligation to report it immediately.

10. Staff Training and Awareness

All workers receive induction training on the incident management policy before they commence work with participants.
Ongoing training records are maintained to demonstrate staff have been trained and understand their obligations.
The policy is readily accessible to all workers at any time (e.g., via an intranet, shared drive, or physical location).
Workers know they are protected from retaliation for reporting incidents in good faith.

Common Non-Conformances Found by Auditors

Quality auditors assessing providers under the NDIS Practice Standards regularly find the following gaps in incident management policies:

Timeframes not specified: The policy says "report promptly" without specifying the 24-hour and five-day requirements from the NDIS Rules.
Reportable incidents not fully defined: Staff do not know the specific categories that trigger mandatory Commission notification.
No designated responsible person: The policy does not identify who is responsible for submitting notifications to the Commission.
Participant notification absent: The policy covers staff reporting but omits the obligation to tell the participant what happened.
Corrective actions not tracked: Incidents are recorded, but there is no evidence of follow-through or systemic review.
Policy not reviewed: A provider submits a policy with no version history or evidence of review since initial registration.

A Note on the 2026 Strengthened Practice Standards

The NDIS Commission's strengthened Practice Standards, progressively implemented from 2024 and fully in effect for registrations and audits in the 2026 cycle, place greater emphasis on governance accountability and provider leadership actively overseeing safety systems. This means your incident management policy must demonstrably connect to your board or senior leadership — not sit siloed with a compliance officer. Auditors will ask how leadership receives and acts on incident data, not just whether a policy document exists.

Getting Audit-Ready

Building a compliant incident management policy from scratch is one part of the larger documentation burden new providers face. If you are registering for SIL or complex supports, you will also need policies across behaviour support, complaints, worker screening, risk management, and more. The ndiscompliant.com.au 74-document SIL compliance kit is designed specifically for new providers who need a complete, audit-ready document set that aligns with current NDIS Commission requirements — without building everything individually from a blank page.

Whether you use a kit or build your own, the most important thing is that your incident management policy reflects how your organisation actually works — and that your team understands it.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.